Burp, Bounce, and Break: How Web Cache Poisoning Let Me Control the App

The writer discusses a technique known as web cache poisoning or cache poisoning attack.
This is a simple yet powerful technique that lets an attacker poison the web cache of a domain they don’t possess, and potentially affect thousands of users.
They describe the steps they took to identify and exploit a vulnerability on the fastapi-prod.target.com subdomain, which involved using various tools like subfinder, httpx, and ffuf for initial reconnaissance and information gathering.
They noticed that the application responded with a 206 Partial Content status code when requests returned an error, indicating that the response was properly cached.
They then proceeded to craft a special request header, which ultimately allowed them to inject malicious content into the cached version of the response and potentially compromise vulnerable user systems.

Fast Feed